This disclosure describes systems, methods, and devices related to security for multi-link operation. A device may determine a multi-link communication with a first multi-link device comprising two or more links associated with two or more station devices (STAs) included in the first multi-link device. The device may determine a first medium access control (MAC) address associated with a first link of the two or more links. The device may determine a second MAC address associated with a second link of the two or more links. The device may generate one or more pairwise security keys to be used in the multi-link communication on the two or more links. The device may cause to send a frame to the first multi-link device using at least one combination of the one or more pairwise security keys.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A device for sharing a pairwise master key (PMK) and a pairwise master key security association (PMKSA) between a first multi-link device (MLD) and a second MLD, the device comprising processing circuitry coupled to storage, the processing circuitry configured to: establish a multi-link communication between two or more first station devices (STAs) of the first MLD and two or more second STAs of a second MLD using two or more links, wherein each STA of the two or more first STAs is singly addressable instance within the first MLD; use an extensible authentication protocol (EAP) or a simultaneous authentication of equals (SAE) protocol to generate the PMK, wherein an authenticator address for the PMKSA is a first device address of the first MLD, and a supplicant address for the PMKSA is a second device address of the second MLD; compute a pairwise master key identifier (PMKID) based on the authenticator address; and use the PMK as a same key across the two or more links.
2. The device of claim 1, wherein the processing circuitry is further configured to: generate a frame header comprising one or more fields; and generate an additional authentication data (AAD) by utilizing at least one of the one or more fields of the frame header, wherein one of the at least one of the one or more fields is an address field.
3. The device of claim 2, wherein the AAD is comprised of two or more address fields, wherein a second address field (A2) is set to be equal to a medium access control (MAC) address of the first MLD.
4. The device of claim 1, wherein a pairwise transient key (PTK) and a pairwise transient key security association (PTKSA) are shared across links.
5. The device of claim 4, wherein the PTK and the PTKSA are shared across links by setting the authenticator address as a first device address of the first MLD and the supplicant address as a second device address of the second MLD.
6. The device of claim 1, wherein the processing circuitry is further configured to: replace a medium access control (MAC) address on both sides with device addresses of the first MLD and the second MLD when a simultaneous authentication of equals (SAE) protocol is used; and modify an additional authentication data (AAD) by using a transmitter device address for A2 and a receiver device address for A1.
7. The device of claim 6, wherein the processing circuitry is further configured to modify a counter with cipher block chaining message authentication code (CCM) nonce by using the transmitter device address for A2.
8. The device of claim 7, wherein the first MLD or the second MLD has a capability bit to indicate if changing the AAD or the CCM nonce is supported.
9. A non-transitory computer-readable medium storing computer-executable instructions which when executed by one or more processors, for sharing a pairwise master key (PMK) and a pairwise master key security association (PMKSA) between a first multi-link device (MLD) and a second MLD, result in performing operations comprising: establishing a multi-link communication between two or more first station devices (STAs) of the first MLD and two or more second STAs of a second MLD using two or more links, wherein each STA of the two or more first STAs is singly addressable instance within the first MLD; using an extensible authentication protocol (EAP) or a simultaneous authentication of equals (SAE) protocol to generate the PMK, wherein an authenticator address for the PMKSA is a first device address of the first MLD, and a supplicant address for the PMKSA is a second device address of the second MLD; computing a pairwise master key identifier (PMKID) based on the authenticator address; and using the PMK as a same key across the two or more links.
10. The non-transitory computer-readable medium of claim 9, wherein the operations further comprise: generating a frame header comprising one or more fields; and generating an additional authentication data (AAD) by utilizing at least one of the one or more fields of the frame header, wherein one of the at least one of the one or more fields is an address field.
11. The non-transitory computer-readable medium of claim 10, wherein the AAD is comprised of two or more address fields, wherein a second address field (A2) is set to be equal to a medium access control (MAC) address of the first MLD.
12. The non-transitory computer-readable medium of claim 9, wherein a pairwise transient key (PTK) and a pairwise transient key security association (PTKSA) are shared across links.
13. The non-transitory computer-readable medium of claim 12, wherein the PTK and the PTKSA are shared across links by setting the authenticator address as a first device address of the first MLD and the supplicant address as a second device address of the second MLD.
14. The non-transitory computer-readable medium of claim 9, wherein the operations further comprise: replacing a medium access control (MAC) address on both sides with device addresses of the first MLD and the second MLD when a simultaneous authentication of equals (SAE) protocol is used; and modifying an additional authentication data (AAD) by using a transmitter device address for A2 and a receiver device address for A1.
15. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise modifying a counter with cipher block chaining message authentication code (CCM) nonce by using the transmitter device address for A2.
16. The non-transitory computer-readable medium of claim 15, wherein the first MLD or the second MLD has a capability bit to indicate if changing the AAD or the CCM nonce is supported.
17. A method for sharing a pairwise master key (PMK) and a pairwise master key security association (PMKSA) between a first multi-link device (MLD) and a second MLD, the method comprising: establishing a multi-link communication between two or more first station devices (STAs) of the first MLD and two or more second STAs of a second MLD using two or more links, wherein each STA of the two or more first STAs is singly addressable instance within the first MLD; using an extensible authentication protocol (EAP) or a simultaneous authentication of equals (SAE) protocol to generate the PMK, wherein an authenticator address for the PMKSA is a first device address of the first MLD, and a supplicant address for the PMKSA is a second device address of the second MLD; computing a pairwise master key identifier (PMKID) based on the authenticator address; and using the PMK as a same key across the two or more links.
18. The method of claim 17, further comprising: generating a frame header comprising one or more fields; and generating an additional authentication data (AAD) by utilizing at least one of the one or more fields of the frame header, wherein one of the at least one of the one or more fields is an address field.
19. The method of claim 18, wherein the AAD is comprised of two or more address fields, wherein a second address field (A2) is set to be equal to a medium access control (MAC) address of the first MLD.
20. The method of claim 17, wherein a pairwise transient key (PTK) and a pairwise transient key security association (PTKSA) are shared across links.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 7, 2022
January 28, 2025
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.